Re: Future TLS roadmap
On Wed, Feb 12, 2014 at 4:41 PM, Yasuo Ohgaki <[email protected]> wrote:
> Hi all,
>
> On Wed, Feb 12, 2014 at 10:39 PM, Pádraic Brady <[email protected]>wrote:
>
>> On 12 February 2014 13:22, Daniel Lowrey <[email protected]> wrote:
>> > FYI, these are things I plan to work on for the post-5.6 timeframe:
>> >
>> > - Support for SNI in *servers* (currently only supported by clients)
>> > - Support for DTLS (datagram client/server encryption)
>> > - Mitigating the client-initiated renegotiation DoS vector in TLS
>> servers
>> >
>> > Most TLS changes could probably pass as "security fixes" and may be
>> > feasible for 5.6 bugfix releases. The alternative is obviously to put
>> them
>> > in master and wait for 5.7. In any case we can cross that bridge when we
>> > get there.
>>
>> I'd support the renegotiation DOS vector as a current bugfix - it's
>> been documented for what, 2 years now since a POC was published?
>
>
> I'm getting used to delayed security fixes...
> +1 for fix it ASAP.
>
>
To interested parties ...
Because it's a security vulnerability for encrypted stream servers I've
taken care of client-initiated renegotiation DoS mitigation and merged it
for 5.6:
https://github.com/php/php-src/pull/600
The implementation uses a standard leaky bucket rate-limiting approach. If
you'd like to know more just click over to the PR link above.
Thread (4 messages)